{"id":"https://openalex.org/W4281642908","doi":"https://doi.org/10.1186/s42400-022-00111-2","title":"A flexible approach for cyber threat hunting based on kernel audit records","display_name":"A flexible approach for cyber threat hunting based on kernel audit records","publication_year":2022,"publication_date":"2022-06-01","ids":{"openalex":"https://openalex.org/W4281642908","doi":"https://doi.org/10.1186/s42400-022-00111-2"},"language":"en","primary_location":{"id":"doi:10.1186/s42400-022-00111-2","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-022-00111-2","pdf_url":"https://cybersecurity.springeropen.com/counter/pdf/10.1186/s42400-022-00111-2","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://cybersecurity.springeropen.com/counter/pdf/10.1186/s42400-022-00111-2","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5111068870","display_name":"Fengyu Yang","orcid":"https://orcid.org/0009-0001-1094-8204"},"institutions":[{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Fengyu Yang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101781741","display_name":"Yanni Han","orcid":"https://orcid.org/0000-0001-6820-4219"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yanni Han","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047170063","display_name":"Ying Ding","orcid":"https://orcid.org/0000-0003-2567-2009"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ying Ding","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028785687","display_name":"Qian Tan","orcid":"https://orcid.org/0000-0001-7710-7082"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qian Tan","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100440518","display_name":"Zhi Xu","orcid":"https://orcid.org/0000-0001-7084-3511"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhen Xu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5111068870"],"corresponding_institution_ids":["https://openalex.org/I19820366","https://openalex.org/I4210156404","https://openalex.org/I4210165038"],"apc_list":null,"apc_paid":null,"fwci":1.4227,"has_fulltext":true,"cited_by_count":10,"citation_normalized_percentile":{"value":0.82100692,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":98},"biblio":{"volume":"5","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9948999881744385,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7887780070304871},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.6205295324325562},{"id":"https://openalex.org/keywords/audit-trail","display_name":"Audit trail","score":0.5269017219543457},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5212888717651367},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.47849196195602417},{"id":"https://openalex.org/keywords/relation","display_name":"Relation (database)","score":0.4719599485397339},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.43180039525032043},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.4313238263130188},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3635908365249634},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.32965490221977234},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.1672813892364502},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.10673701763153076},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.0966850221157074}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7887780070304871},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.6205295324325562},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.5269017219543457},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5212888717651367},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.47849196195602417},{"id":"https://openalex.org/C25343380","wikidata":"https://www.wikidata.org/wiki/Q277521","display_name":"Relation (database)","level":2,"score":0.4719599485397339},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.43180039525032043},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.4313238263130188},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3635908365249634},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.32965490221977234},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.1672813892364502},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.10673701763153076},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.0966850221157074},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.0},{"id":"https://openalex.org/C121955636","wikidata":"https://www.wikidata.org/wiki/Q4116214","display_name":"Accounting","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1186/s42400-022-00111-2","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-022-00111-2","pdf_url":"https://cybersecurity.springeropen.com/counter/pdf/10.1186/s42400-022-00111-2","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:c571f1bfa8444eb4a7e7dc11da61c74b","is_oa":true,"landing_page_url":"https://doaj.org/article/c571f1bfa8444eb4a7e7dc11da61c74b","pdf_url":null,"source":{"id":"https://openalex.org/S112646816","display_name":"SHILAP Revista de lepidopterolog\u00eda","issn_l":"0300-5267","issn":["0300-5267","2340-4078"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Cybersecurity, Vol 5, Iss 1, Pp 1-16 (2022)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1186/s42400-022-00111-2","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-022-00111-2","pdf_url":"https://cybersecurity.springeropen.com/counter/pdf/10.1186/s42400-022-00111-2","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.47999998927116394,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4281642908.pdf","grobid_xml":"https://content.openalex.org/works/W4281642908.grobid-xml"},"referenced_works_count":23,"referenced_works":["https://openalex.org/W168132470","https://openalex.org/W2065126904","https://openalex.org/W2086512926","https://openalex.org/W2096347345","https://openalex.org/W2101341548","https://openalex.org/W2295705535","https://openalex.org/W2304366700","https://openalex.org/W2532844970","https://openalex.org/W2579106964","https://openalex.org/W2758108284","https://openalex.org/W2766852928","https://openalex.org/W2790557990","https://openalex.org/W2792591096","https://openalex.org/W2843669218","https://openalex.org/W2885157095","https://openalex.org/W2890262614","https://openalex.org/W2947745012","https://openalex.org/W2962703433","https://openalex.org/W2978956219","https://openalex.org/W2998038410","https://openalex.org/W3007878096","https://openalex.org/W3008508243","https://openalex.org/W3099203541"],"related_works":["https://openalex.org/W2366107444","https://openalex.org/W4388145910","https://openalex.org/W1976205134","https://openalex.org/W2381570729","https://openalex.org/W2124184151","https://openalex.org/W2487194309","https://openalex.org/W2750461430","https://openalex.org/W2374959091","https://openalex.org/W2581634534","https://openalex.org/W2079105056"],"abstract_inverted_index":{"Abstract":[0],"Hunting":[1],"the":[2,7,20,42,56,60,76,101,112,123,147,175,192,197],"advanced":[3],"threats":[4,154],"hidden":[5],"in":[6,118,155],"enterprise":[8],"networks":[9],"has":[10],"always":[11],"been":[12],"a":[13,160],"complex":[14,87],"and":[15,64,86,90,125,167],"difficult":[16,27],"task.":[17],"Due":[18],"to":[19,32,54,59,99,135,145],"variety":[21],"of":[22,44,128,199],"attacking":[23],"means,":[24],"it":[25],"is":[26,50,70,165],"for":[28,82,151,169],"traditional":[29],"security":[30,170],"systems":[31],"detect":[33],"threats.":[34],"Most":[35],"existing":[36],"methods":[37],"analyze":[38],"log":[39,45],"records,":[40,108],"but":[41],"amount":[43],"records":[46],"generated":[47],"every":[48],"day":[49],"very":[51],"large.":[52],"How":[53],"find":[55],"information":[57],"related":[58],"attack":[61,193],"events":[62],"quickly":[63,190],"effectively":[65,186],"from":[66],"massive":[67],"data":[68],"streams":[69],"an":[71],"important":[72],"problem.":[73],"Considering":[74],"that":[75,182],"knowledge":[77,102,129,149],"graph":[78,103,150],"can":[79,91,132,185],"be":[80,133],"used":[81],"automatic":[83],"relation":[84,88],"calculation":[85],"analysis,":[89],"get":[92],"relatively":[93],"fast":[94],"feedback,":[95],"our":[96,183],"work":[97],"proposes":[98],"construct":[100],"based":[104,173],"on":[105,174],"kernel":[106],"audit":[107,119],"which":[109,131,164],"fully":[110],"considers":[111],"global":[113],"correlation":[114],"among":[115],"entities":[116],"observed":[117],"logs.":[120],"We":[121],"design":[122],"construction":[124],"application":[126],"process":[127],"graph,":[130],"applied":[134],"actual":[136,153],"threat":[137],"hunting":[138,152,162],"activities.":[139],"Then":[140],"we":[141,158],"explore":[142],"different":[143],"ways":[144],"use":[146],"constructed":[148],"detail.":[156],"Finally,":[157],"implement":[159],"LAN-wide":[161],"system":[163],"convenient":[166],"flexible":[168],"analysts.":[171],"Evaluations":[172],"adversarial":[176],"engagement":[177],"designed":[178],"by":[179],"DARPA":[180],"prove":[181],"platform":[184],"hunt":[187],"sophisticated":[188],"threats,":[189],"restore":[191],"path":[194],"or":[195],"assess":[196],"impact":[198],"attack.":[200]},"counts_by_year":[{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":2}],"updated_date":"2026-03-18T14:38:29.013473","created_date":"2025-10-10T00:00:00"}